How do I get proper ssh-agent functionality in GNOME?

Problem: When I try to run ssh-add under GNOME, it fails with the error message

Could not add identity "$HOME/.ssh/id_ecdsa": communication with agent failed

Background: GNOME uses gnome-keyring-daemon to provide ssh-agent functionality, but gnome-keyring-daemon is not a fully functional replacement for ssh-agent. Most importantly, it doesn't support elliptic curve keys; this has been known for five years. Another bug summarizes some of other deficiencies of gnome keyring. A similar problem used to exist for gnome-keyring-daemons GPG agent functionality, which has been settled by disabling GPG in GNOME keyring.

(Note: I am not saying that the GNOME keyring daemon is bad, it's just not as feature-complete as some of the stuff it is trying to replace.)

To enable full ssh functionality, the ssh component of gnome-keyring-daemon must be replaced by the genuine ssh-agent. The following instructions demonstrate how that can be done on Fedora 24; the procedure should work on other recent Fedora releases, too. The procedure below does not disable or harm other functionality of GNOME keyring.

Disabling the ssh component of gnome-keyring-daemon

Fedora contains desktop files for the various components of GNOME keyring. Disable the ssh component by copying it to the personal configuration directory and disabling autostart for it:

If you want to do that for all users, edit /etc/xdg/autostart/gnome-keyring-ssh.desktop in place.
(You can try to disable this autostart component using gnome-tweak-tool instead, but it didn't work for me).

Enabling pam_ssh

The pam_ssh package provides the functionality to start user sessions under ssh-agent. Again, manual editing of PAM configuration files is required. It would make sense to put pam_ssh in the common "postlogin" file but that file might be overwritten by authconfig, which unfortunately has no pam_ssh support as of 2016. Therefore here is a small shell code that adds pam_ssh wherever postlogin is referenced:

Then compile and load the policy module (requires policycoreutils-devel to be installed):

make -f /usr/share/selinux/devel/Makefile
semodule -i pam_ssh.pp

Depending on your system configuration, more SELinux tweaking may be necessary. I recommend to test in permissive mode first (setenforce 0) and to run audit2allow -b to generate a suitable policy module.

Comments

Since introduction of authconfig's postlogin hook, it seems to place the generated file in /etc/pam.d/postlogin-ac, and /etc/pam.d/postlogin is just a symlink to that file. Is there a reason you don't want to just remove that symlink, and create own postlogin that'll load pam_ssh and include postlogin-ac, instead of doing sed hackery above?

Comments

Thank you for this excellent post. I learned today that Wayland required GSM_SKIP_SSH_AGENT_WORKAROUND="true" to be set or it overwrites SSH_AUTH_SOCK.
The following modification to your systemd solution works well: